atena fraud waste abuse and compliance...this training module consists of two parts: (1) medicare...

nrdinal

Health

• Partners

May 26, 2015

Dear Aetna Medicare/Coventry Medicare Cardinal Provider,

In order to ensure quality standards, it's impotiant that all entities doing business with Medicare abide by compliance

requirements. We recently received a reminder from Aetna/Coventry regarding the requirement for annual Medicare

Compliance Program Training. Some of your compliance obligations as a Paiiicipating Medicare Provider are:

• Adopt Standard of Conduct and have compliance policies and procedures. You may utilize Aetna's Code of Conduct and Compliance Policies or your own comparable code of conduct.and compliance policies

• Train and distribute Standards of Conduct and compliance policies within 90 days of initial hire and annually thereafter to all of your employees, downstream and related entities who are assigned to work on Medicare patients/business

• Complete Medicare Fraud, Waste and Abuse and compliance training within 90 days ofhire and annually thereafter. (Can complete CMS Parts C&D Fraud, Waste & Abuse training aud general compliance training avaiiable on the CMS.gov website)

• Maintain evidence of your compliance with the Medicare Compliance Program requirements for no less than 10 years. Aetna or CMS may request that you provide documentation of your compliance with there requirements. (i.e. copies of sign in sheets, signed attestations and/or election certifications) for training

• Must have confidential repotiing mechanisms in place for ymir staff in reporting any potential Fraud, Waste and Abuse or non compliance issues

• Ensure none of your employees that work on Medicare business are on the Department of Health and Human Services Office oflnspector General (O!G) or the General Services Administration (GSA) System for Award Management (SAM) excluded per;ons, sanctions or debarment lists through screening these lists prior to hire and monthly thereafter

• If provider has their own Medicare compliance training rather than the CMS module, you must ensure that it complies with all Jaws, rules and regulations that apply to Medicare compliance n·ainiug.

We have included Aetna's Code ofConduct, Compliance Program Guide and Compliance Policies for your reference. In the event CMS ever audits you, you will need written proof of all training dates, names of employees, copies of your Compliance Plan and your policies and procedures. ·

For more complete description of your requirements you may refer to the Code of Federal Regulation which outlines these Medicare Compliance Program requirements and are specifically defined by CMS in the January 11, 2013 release of the Compliance Program Guidelines found in Chapter 21 of the Medicare Managed Care Manual.

Thank you for your continned suppoti for A_etna's Medicare program.

Sincerely, I'~,--.(!

,·)) ,)).. --r ,L-tJ'(.. ,li) Marty Mansfield Director Cardinal Health Patiners, Limited

CENTERS FOR MEDICARE & MEDICAID SERVICES

:;::::::::t;,4 ,, r"",:;;rr-__.JmE"·"" Fffrbtrum! .. ,

( \

f1

,,1!11!(!iii

'U:i:>-,'

I l

Developed by the Centers for Medicare & Medicaid Services

Issued: February, 2013

1··"· ,·,"~':-"1,01•:,r• ·'i":1:;

Please select the appropriate training link below. At the conclusion of the selected part, you will be returned to this screen. Note the below links only work when viewing this module in "slide show" mode. Otherwise, the Fraud, Waste and Abuse Training begins on the next slide and General Compliance Training begins on slide 65.

1) Fraud, Waste, and Abuse Training

2) General Compliance Training

Q1,1.ility hE'.i!th plans & benefits

Healthler living F!nancla! well-being Intelligent sofutlons

First Tier, Downstream, and Related Entities ("FDR") Medicare Compliance Program Guide

March 2015

l

I. Introduction -Aetna's Medicare Compliance Program Aetna's reputation ·as an industry leader depends on our ability to deliver on our promises. For more than 160 years, we have been guided by the highest standards of integrity. Our relationships with our customers, business partners and suppliers are built on trust earned over time and through experience. Each day we must remember our commitment to do the right thing for the right reason and keep the people we serve at the center of everything we do. When we act with integrity, we are living The Aetna Way.

Our Medicare Compliance Program helps us serve our members ethically We're committed to practicing business in an ethical manner. Our Medicare Compliance Program is designed to:

• Reduce or eliminate fraud, waste, and abuse

• Make sure we comply with applicable laws, rules and regulations

• Reinforce our commitment to compliance

We use external entities to bring our members cost-effective healthcare solutions Aetna Health Inc., Aetna Life Insurance Company and affiliates (Aetna) offer Medicare Advantage and Medicare prescription drug plans (collectively, "Medicare Plans"). We contract with several external individuals and entities as a cost effective and efficient way of providing administrative and healthcare services. Some of the services provided by external entities are services that we are required to perform under our contracts wit!J Cl\'1S, The Centers for Medicare and Medicaid Services (CMS) refer to these entities as First Tier, Downstream, and Related entities (FDRs).

You'll find specific requirements in this document CMS also requires that Aetna's FDRs fulfill specific Medicare Compliance Program requirements. We describe these requirements in this document. The Code of Federal Regulations (CFR) outlines these Medicare Compliance Program requirements and they are specifically defined by CMS in the January 11, 2013 release of the Compliance Program Guidelines found in Chapter 21 of the Medicare Managed Care Manual and Chapter 9 of the Prescription Drug Benefit Manual (Manual), which are identical.

It is important for you to follow these requirements You received this guide because we've identified you as a First Tier Entity. This means that you must comply with these requirements.

II. What's an FDR? We use the current CMS definitions to define First Tier, Downstream, and Related Entities:

First Tier Entity is any party that enters into a written arrangement, acceptable to CMS, with a Medicare Advantage Organization or Part D plan sponsor or applicant to provide administrative

Vl.3 - March 2015 Page 2 ET-0087-15

services or healthcare services to a Medicare eligible individual under the Medicare Advantage program or Part D program. (See, 42 C.F.R. §§ 422.500 & 423.501).

Downstream Entity is any party that enters into a written arrangement, acceptable to CMS, with persons or entities involved with the Medicare Advantage benefit or Part D benefit, below the level of the arrangement between a Medicare Advantage Organization or applicant or a Part D plan sponsor or applicant and a first tier entity. These written arrangements continue down to the level of the ultimate provider of both health and administrative services. (See, 42 C.F.R. §§ 422.500 & 423.501).

Related Entity means any entity that is related to a Medicare Advantage Organization or Part D sponsor by common ownership or control and :

(1) Performs some of the Medicare Advantage Organization or Part D plan Sponsor's management functions under contract or delegation; or

(2) Furnishes services to Medicare enrollees under an oral or written agreement; or

(3) Leases real property or sells materials to the Medicare Advantage Organization or Part D plan Sponsor at a cost of more than $2,500 during a contract period.

(See, 42 C.F.R. §§ 422.500 & 423,501).

FDRs providing healthcare services The Medicare Compliance Program requirements described in this guide apply to healthcare providers contracted with Aetna to participate in our Medicare Plan network. This includes physicians, hospitals and other provider types. Here are the reasons why:

• First, Medicare Advantage (MA) regulations and CMS rules clearly state that providers contracted with Aetna to provide healthcare services to our Medicare members are "First Tier Entities."

• Second, Chapter 9 of the Manual lists "healthcare services" as an example of the types of functions that a third party can perform that relates to an MA organization's contract with CMS. This would give third parties "First Tier Entity'' status. (See last bullet point in the Manual, Chapter 9 § 40.) So, these Medicare Compliance Program requirements apply to providers that actually deliver healthcare services to our Medicare members.

• Third, CMS provides a chart in the Manual, Chapter 9 § 40 showing that entities providing health services and hospital groups are first tier entities. So, if we contract with a hospital group and don't have direct contracts with the group's hospitals and other providers, the hospitals and providers are "Downstream Entities." This means that the hospital group is a "First Tier Entity," and must comply and make sure its

Vl.3 - March 201S Page 3 ET-0087-15

Downstream Entities comply with the CMS compliance program requirements in this guide.

FDRs providing administrative services The Medicare Compliance Program requirements also apply to entities with which we contract to perform administrative service functions relating to our Medicare Advantage or Medicare Part D contracts with CMS. Some examples of administrative service functions include:

• Claims processing

• Patient management o Credentialing*

*Under our Medicare Advantage contract with CMS, we're required to credential healthcare providers that participate in our Medicare Plan network. We contract with entities to perform these credentialing services on our behalf under a delegation agreement. CMS considers these delegated credentialing entities to be First Tier Entities. CMS identifies delegated credentialing entities as First Tier Entities in the Manual, Chapter 11 § 100.5.

Other examples of FD Rs include delegates, agents, broker organizations, pharmacies and other individuals, entities, vendors or suppliers contracted with Aetna to provide administrative and/or healthcare services for our Medicare Plans. You can find more information in the Manual, Chapter 9 § 40, including the Stakeholder Relationship Flow Charts.

Ill. FDR Medicare Compliance Program & attestation

requirements It's important that our FDRs are in compliance with applicable laws, rules and regulations. Although we contract with FDRs to provide administrative and/or healthcare services for our Medicare Plans, in the end, we're responsible for fulfilling the terms and conditions of our contract with CMS and meeting applicable Medicare program requirements.

Compliance program requirements First Tier Entities are responsible for making sure that their Downstream Entities comply with applicable laws and regulations, including the requirements in this guide. As a First Tier Entity, you/your organization and all of your Downstream Entities (if applicable) must comply with Medicare Compliance Program requirements. This guide summarizes your Medicare Compliance Program responsibilities. Please review it to make sure that you have internal processes to support your compliance with these requirements each calendar year. These Medicare Compliance Program requirements include, but are not limited to:

A. Fraud, Waste and Abuse ("FWA") training, general compliance training and Code of Conduct/compliance policy distribution

Vl.3 - March 2015 Page4 ET-0087-15

B. Exclusion list screenings

C. Reporting FWA and compliance concerns to Aetna

D. Offshore operations & CMS reporting E. Specific federal and state compliance obligations

F. Monitoring and auditing of First Tier, Downstream and Related Entities

Also, see the "Toolbox of Resources for FD Rs" at the end of this guide. It may help you with meeting these requirements.

What may happen if you don't comply If our FDRs fail to meet these Medicare Compliance Program requirements, it may lead to:

• Development of a corrective action plan

• Retraining

• Termination of your contract and relationship with Aetna

Our actions in response to a First Tier Entity's non-compliance will depend on the severity of the compliance issue. If a First Tier Entity identifies areas of non-compliance (e.g., refusal of an employee to complete the required FWA training), the First Tier Entity must take prompt action to fix the issue and prevent it from happening again.

Attestation requirements You must to maintain evidence ofyour compliance with these Medicare Compliance Program requirements (e.g., employee training records, CMS certificate of FWA training completion, etc.) for no less than 10 years. Also, each year, an authorized representative from your organization must attest to your compliance with the Medicare Compliance Program requirements described in this guide. The authorized representative is an individual who has responsibility directly or indirectlyfor all:

• Employees

• Contracted personnel • Providers/practitioners

• Vendors who provide healthcare and/or administrative services for Aetna's Medicare Plans

This could be your Compliance Officer, Chief Medical Officer, Practice Manager/Administrator, Provider, an Executive Officer or similar related positions.

You may be asked to provide evidence of compliance In addition to completing an attestation, Aetna and/or CMS may request that you provide evidence of your compliance with these Medicare Compliance Program requirements. This is for monitoring/auditing purposes.

Vl.3 - March 2015 Page 5 ET-0087-15

We take these responsibilities very seriously. If you have questions or concerns about these Medicare Compliance Program requirements, just contact your Aetna Relationship Manager. What follows is a description of each Medicare Compliance Program requirement.

A. Fraud, Waste and Abuse ("FWA") training, general

compliance training and Code of Conduct/compliance policy

distribution

FWA and general compliance training As a First Tier Entity, you/your organization must provide FWA and general compliance training to all your employees and Downstream Entities assigned to provide administrative and/or healthcare services for our Medicare Plans. To comply with this requirement, you can use the CMS Medicare Parts C & D Fraud, Waste. and Abuse Training and General Compliance Training. You can also substitute an equivalent version to satisfy these training requirements.

Compliance training requirements Regardless of the method used, the training must be completed:

• Within 90 days of initial hire or the effective date of contracting

• At least annually thereafter

Also, you must maintain evidence of training completion. Evidence of completion may be in the form of attestations, training logs, or other means determined by you to best represent fulfillment of your obligations. For convenience, there are certificates of completion included on the last slides of the CMS Medicare Parts C & D Fraud, Waste, and Abuse Training and General Compliance Training.

The only exception to this training requirement is if you/your organization is "deemed" to have met the FWA certification requirements through enrollment into Medicare Parts A or B of the Medicare program or though accreditation as a supplier of Durable Medical Equipment, Prosthetics, Orthotics and Supplies (DMEPOS). Those parties deemed to have met the FWA training through enrollment into the CMS Medicare Program don't need to complete Part 1: Medicare Parts C and D Fraud, Waste, and Abuse Training. But, they're still obligated to complete Part 2: Medicare Ports C & D Compliance Training.

You can find the training requirements and information regarding deemed status at:

• 42 C.F.R. § 422.503(b)(4)(vi)(C) for Medicare Advantage

• 42 C.F.R. § 423.504(b)(4)(vi)(C) for Part D

• Manual, Chapter 9 § 50.3

Vl.3 - March 2015 Page 6 ET-0087-15

You must give your employees Standards of Conduct Your organization must also provide either Aetna's Code of Conduct (COC) and Medicare Compliance Policies or your own comparable CDC/Compliance Policies (collectively, "Standards of Conduct") to all employees and Downstream Entities who provide administrative and/or healthcare services for our Medicare Plans. You must distribute Standards of Conduct:

• Within 90 days of hire or the effective date of contracting

• When there are updates to such Standards of Conduct

• Annually thereafter

Also, you must retain evidence of your distribution of the Standards of Conduct.

You can find these Standard of Conduct requirements in:

• 42 C.F.R. § 422.503(b)(4)(vi)(A) for Medicare Advantage

• 42 C.F.R. § 423.504(b)(4)(vi)(A) for Part D

• Manual, Chapter 9 § 50.1.1

B. Exclusion list screenings Federal law prohibits Medicare, Medicaid and other federal healthcare programs from paying for items or services provided by a person or entity excluded from participation in these federal programs. Therefore, prior to hire and/or contract and monthly thereafter, each First Tier Entity must check the Office of Inspector General (OIG) and General Services Administration (GSA) "exclusion lists" to confirm that employees and Downstream Entities performing administrative and/or healthcare services for Aetna's Medicare Plans aren't excluded from participating in Federally-funded healthcare programs. You can use these websites to perform the required

exclusion list screening:

• Office of Inspector General (OIG) List of Excluded Individuals and Entities

• General Services Administration (GSA) System for Award Management (SAM)

Also, FD Rs must maintain evidence they checked these exclusion lists. You can use logs or other records to document that you've screened each employee and Downstream Entity in accordance with current laws, regulations and CMS requirements.

You must perfrm exclusion list screenings You're not alone. We're also required to check these exclusion lists prior to the hiring or contracting of any new employee, temporary employee, volunteer, consultant, governing body member, or FDR, and monthly thereafter. We cannot check these exclusion lists for your employees and Downstream Entities. So, to make sure we comply with this CMS requirement, you must confirm that your permanent and temporary employees and Downstream Entities

Vl.3 - March 2015 Page 7 ET-0087-15

that provide administrative and/or healthcare services for our Medicare Plans are not on either of these exclusion lists.

You must take action if an employee or Downstream Entity is on the list If any of your employees or Downstream Entities are on one of these exclusion lists, you must immediately remove them from work directly or indirectly related to Aetna's Medicare Plans and notify us right away.

These exclusion list requirements are noted in§ 1862(e)(1)(B) of the Social Security Act, 42 C.F.R. §§ 422.503(b)(4)(vi)(F), 422.752(a)(8), 423.504(b)(4)(vi)(F), 423.752(a)(6), 1001.1901, and further described in the Manual, Chapter 9 § 50.6.8.

C. Reporting FWA and compliance concerns to Aetna There are a number of ways to report suspected or detected non-compliance or potential FWA. Don't worry-your reports are confidential. You can find this information in Aetna's Reporting Mechanism Poster. Just click the link at the end of this guide. You can share the poster with your employees or Downstream Entities. You can also keep it as a reference tool and use your own internal processes for reporting and collecting these issues. If you choose to your own processes, make sure you report it to Aetna. Refer back to the Code of Conduct section for information on Aetna's reporting guidelines.

You must adopt and enforce a zero-tolerance policy for retaliation or intimidation against anyone who reports suspected misconduct.

Dedicated to Aetna's Medicare Compliance Program is John Wells, Medicare Compliance Officer, who is based in Maryland. Questions or concerns for John and/or his Medicare compliance subject matter experts can be sent to the following mailbox: [email protected].

D. Offshore operations & CMS reporting To help make sure we comply with applicable federal and state laws, rules and regulations, you're prohibited from using any individual or entity (Offshore Entity) to perform services for Aetna's Medicare Plans if the individual or entity is physically located outside of one of the fifty United States or one of the United States Territories (i.e., American Samoa, Guam, Northern Marianas, Puerto Rico, and Virgin Islands). The only exception to this is if an authorized Aetna representative agrees in advance and in writing to the use of such Offshore Entity.

Notify us immediately if you plan to use an Offshore Entity If you perform services offshore or use an Offshore Entity to perform services involving the receipt, processing, transferring, handling, storing, or accessing of Medicare Member protected health information (PHI) and we approve the arrangement, we must submit an attestation to

Vl.3 - March 2015 Page 8 ET-0087-15

mailto:[email protected]

CMS. One example provided by CMS of offshore services that trigger this attestation requirement is "offshore subcontractors that receive radiological images for reading, because beneficiary personal health information (PHI) is included with the radiological image and the diagnosis is transmitted back to the U.S." Therefore, you must immediately notify your Aetna

Relationship Manager if you plan to use an Offshore Entity.

E. Specific federal and state compliance obligations Based upon the services that you/your organization performs for Aetna's Medicare plans, you may be subject to other federal and state laws, rules and regulations that we didn't describe in this guide. If you have questions about the Medicare compliance requirements for the services that you/your organization perform, consult your Aetna Relationship Manager.

F. Monitoring and auditing of First Tier and Downstream

Entities CMS requires that we develop a strategy to monitor and audit our First Tier Entities. This helps ensure compliance with all applicable laws and regulations and that our First Tier Entities monitor the compliance of their Downstream Entities. Therefore, if you choose to subcontract with other individuals/parties to provide administrative and/or healthcare services for Aetna's Medicare Plans, you must make sure that these Downstream Entities abide by all laws and regulations that apply to you as a First Tier Entity. This includes the Medicare Compliance Program requirements described in this guide.

Also, you/your organization must conduct sufficient oversight to test and ensure that your employees and Downstream Entities are compliant with applicable laws, retain evidence of completion, conduct root cause analysis and implement corrective action plans or take disciplinary actions, as necessary, to prevent recurrence of non-compliance with applicable

laws.

Expect routine monitoring and audits We routinely monitor and periodically audit First Tier Entities. This helps us ensure compliant administration of our contracts with CMS to offer Medicare Plans, as well as applicable laws and regulations. Each First Tier Entity must cooperate and participate in these monitoring and auditing activities. If a First Tier Entity performs its own audits, we may request the audit results affecting Aetna's Medicare business. Also, we expect First Tier Entities to routinely monitor and periodically audit their Downstream Entities.

If we determine that an FDR doesn't comply with any of the requirements in this guide, we'll require the FDR to develop and submit a Corrective Action Plan (CAP). We can help the FDR address the identified compliance issues.

Vl.3 - March 2015 Page 9

ET-0087-15

These Monitoring and Auditing requirements are noted in 42 C.F.R. § 422.503(b)(4)(vi)(F) for Medicare Advantage and 42 C.F.R. § 423.504(b)(4)(vi)(F)for Part D, and further described in the

Manual, Chapter 9 § Section 50.6.6.

Questions/Concerns For compliance questions or concerns, you can email the Aetna mailbox:

[email protected]

Toolbox of resources for FDRs The grid below provides links to helpful tools and resources.

Don't have training in place?

Already have your own training In place? Proof of training completion

Don't have your own code?

Medicare compliance department policies

Share our Code and policies

Where is the OIG?

Where is the GSA/SAM?

How do I report noncompliance or potential fraud, waste, and abuse (FWA) to Aetna?

No need to develop your own. You can download the CMS General Compliance and FWA training. Also, you can take the training online {after registration) on the Medicare Learning Network. Use this tool to evaluate if your training is equivalent to CMS'.

This sample log provides a way to document your employee's completion of CMS's General Compliance and Fraud Waste and Abuse Training. You can also modify it to record completion of your own training. Or, you can send this log to your downstream entities to use in monitoring their training completion.

If not, feel free to distribute Aetna's Code of Conduct to your employees. Our Code of Conduct explains our compliance program, but these policies provide more detail about our Medicare Compliance Program. Use this announcement template to share Aetna's Code of Conduct and compliance policies.

Complete OIG exclusion list screenings prior to hire/contracting and monthly for your employees and downstream entities. Complete GSA exclusion list screenings prior to hire/contracting and monthly for your employees and Downstream Entities.

This poster provides ways for reporting issues that impact Aetna, directly to Aetna. Feel free to share this throughout your organization so that your employees know how to report concerns. Remember, you must report suspected or detected non-compliance or potential FWA that impact Aetna.

"

Vl.3 - March 2015 Page 10 ET-0087-15


Downstream oversight

Check yourself

You must conduct oversight of your Downstream Entities. You can do this by requesting attestations from your Downstream Entities to monitor their compliance. Use this attestation to ensure those you contract with (and touch Aetna's Medicare business) comply with the Medicare Compliance Program Requirements. You can use this example tool to assess your compliance with the Medicare Compliance Program Requirements. Your organization can also modify the tool to assess compliance of your Downstream Entities.

More tools You can find other resources online. If you have ideas fortools that would assist you in meeting the Medicare Compliance Program Requirements, send an email to [email protected].

Vl.3 - March 2015 Page 11 ET-0087-15


aetna~Medicare

DEPARTMENT: POLICY#: Version#: EFFECTIVE DATE: Medicare Compliance COMP 201 3.0 01/21/2013

POLICY TITLE: REVISION DATE: Creation and Maintenance of Medicare Compliance Policies, 2/12/2015

Last Modified By:Procedures and other Compliance Documents Nancy Mundy

PRODUCT: MARKET: NEXT REVIEW DATE: PREPARED BY: 2/12/2016

Advantage and PDP

Christina F. Melton Medicare All

PURPOSE

The purpose of this document is to implement the relevant provIsIons of 42 C.F.R. §§ 422.503(b)(4)(vi), and 423.504(b)(4)(vi), Chapter 9 of the PDBM, and Chapter 21 of the MMCM, which requires Part C and Part D sponsors to develop and implement an effective compliance program, including the maintenance of written policies and procedures and standards of conduct.

POLICY

To articulate Aetna's compliance and ethical standards and practices, and its commitment to

comply with all applicable federal and state laws and regulations, Aetna has established written

policies and procedures, including a Medicare Compliance Plan to implement the Medicare

Compliance Program. These policies and procedures, in concert with the Aetna Code of Conduct,

· direct employees, Directors, and FDR employees in implementing the elements of the Medicare

Compliance Plan.

Aetna Medicare Compliance Policies and Procedures are reviewed and updated at least annually, and when there are significant changes to applicable federal and state laws, regulations, or program requirements.

DEFINITIONS/ACRONYMS

CMS-Centers for Medicare & Medicaid Services FDR-First Tier, Downstream, and Related entities MCO-Medicare Compliance Officer MMCM-Medicare Managed Care Manual OIG- Health and Human Services Office of the Inspector General PDBM-Prescription Drug Benefit Manual

ATTACHMENTS

None

Aetna Health and/or Aetna Life Insurance Company

For Internal Use Only

COMP-201 Creation and Maintenance of Medicare Policies and Procedures Procedure Page 1 of 5

Medicare Compliance

DEPARTMENT: Medicare Compliance

POLICY#: COMP 201

Version#: 3.0

POLICY TITLE: Creation and Maintenance of Medicare Compliance Policies, Procedures and other Compliance Documents

EFFECTIVE DATE: 01/21/2013

PROCEDURE

1. Creation of Medicare Compliance Policies

When the need arises, requiring Medicare Compliance to develop and implement a policy and procedure to address new or revised law, regulations, or program requirements, either an existing policy will be revised or a new policy will be drafted. When a new policy is drafted:

A. A New Medicare Compliance Policy will be drafted utilizing the Medicare Compliance Policy and Procedure Template. Desktop guides containing procedural details may be in place to further describe the policy activities.

B. Requirements and responsibilities will be outlined in the draft policy.

C. Once a draft policy is created, it will be reviewed and approved by the leadership within Medicare Compliance responsible for the affected area.

D. The draft policy will then be routed to the Medicare Compliance department employees and/or business partners for review, as needed, to ensure that there are no conflicts to other business or operational policies and procedures.

E. The draft policy is then reviewed by the leadership within Medicare Compliance, and the MCO for comments and feedback. Medicare Legal Counsel may also be consulted for additional review and input.

F. The MCO will review and make finishing policy revisions, as deemed necessary, before issuing his/her final approval. Once approved by the MCO, the policy can be implemented as a final policy and will be loaded to the Medicare Compliance policy repositories.

2. Maintenance and Review of Existing Policies

Existing Medicare Compliance Policies and Procedures and the Medicare Compliance Plan are reviewed at least annually and revised if needed, or when there are legal, regulatory, or program changes that require Policy and Procedure revisions. When existing policies are updated:

A. Updates are noted via track changes in the document.

B. The revised document is submitted to the appropriate member or members of the Medicare Compliance Department for review and comment. Medicare Legal Counsel may also be consulted for additional review and input.

C. The MCO will review and make finishing policy revisions, as deemed necessary, before issuing his/her final approval. Once approved by the MCO, the policy with changes can




Medicare Compliance

DEPARTMENT: POLICY#: Version#: Medicare Compliance COMP 201 3.0

POLICY TITLE: EFFECTIVE DATE: Creation and Maintenance of Medicare Compliance Policies, 01/21/2013 Procedures and other Compliance Documents

be implemented as a final policy and will be loaded to the Medicare Compliance policy repositories.

3. Storage and Communication of Policies

A. Medicare Compliance Policies and Procedures, including the Medicare Compliance Plan, are maintained in sites which are accessible to all Medicare supporting employees:

a. Medicare Compliance AetNet intranet;

b. Aetna Medicare MAPD/PDP Policy and Procedure Management Center.

B. Medicare Compliance Policies and Procedures are communicated to employees who support Aetna's Medicare business within 90 days of hire, when there are significant changes to the Policies and Procedures, and annually thereafter. In addition to these policy communications, Aetna's other foundational documents as defined below are also communicated at these same timeframes.

C. Policy changes are circulated through various mechanisms: staff meetings; Medicare Compliance Committee presentations; etc.

4. Record Retention

When a new policy is created that replaces an existing policy, the obsolete policy is archived in accordance with Aetna's Records Retention Schedule.

5. Other Foundational Compliance Policy Documents

A. Aetna Code of Conduct

Medicare Compliance participates, as needed, in the company's ad hoc or periodic review and update of Aetna's Code of Conduct. This document provides the overarching principles under which Aetna operates, describes compliance expectations (e.g., obligation to report potential/actual non-compliance, fraud, waste or abuse, or violations to code of conduct or company policies, etc.) and the company's commitment to comply with all applicable federal and state standards. Aetna's Code of Conduct is approved by Aetna's full Board of Directors, as material changes are made to the content.

B. Aetna Medicare Compliance Plan

Aetna constructed a Medicare Compliance Program to meet the obligations specified in regulations and guidance from CMS and the OIG which were based upon the United




Medicare Compliance


POLICY#: COMP 201

Version#: 3.0

POLICY TITLE: Creation and Maintenance of Medicare Compliance Policies, Procedures and other Compliance Documents


States Federal Sentencing Guidelines seven elements for compliance plans. These elements are specifically defined within the CMS Compliance Program Guidelines found in Chapter 9 of the PDBM and Chapter 21 of the MMCM. Aetna's program is designed to prevent, detect and correct Aetna's Part C and D Medicare noncompliance and fraud, waste and abuse. Aetna has established various policies, processes, and procedural guides which collectively compose the program. The Aetna Medicare Compliance Plan is a document developed and maintained by Medicare Compliance that provides an overview of Aetna's Medicare Compliance Program and is an evergreen document. It is reviewed at least on an annual basis and updates are made if needed.

SOURCE($) / REFERENCE:

42 CFR § 422.503(b)(4)(vi)(A) 42 CFR § 423.504(b)(4)(vi)(A) Prescription Drug Benefit Manual, Chapter 9 Medicare Managed Care Manual, Chapter 21

Desk Reference/Job Aides:

Aetna Record Retention Schedule: http://aetnet.aetna.com/LawNet/Records Ret Sched.html

REVIEW:

Accountable for Policy Maintenance: Nancy Mundy, Sr. Director, Compliance/Meegan Johnson, Director, Compliance

Accountable for Implementation: John Wells, Medicare Compliance Officer(MCO}

APPROVAL:

APPROVAL SIGNATURE & DATE:

Legal: Nicole Cerquitella. Medicare Legal Counsel 2/12/2015

Compliance: John Wells. Medicare Compliance Officer 2/13/2015

REVIEW AND REVISION HISTORY:



COMP·201 Creation and Maintenance of Medicare Policies and Procedures Procedure Page 4 of 5

http://aetnet.aetna.com/LawNet/Records

Medicare Compliance


POLICY TITLE: EFFECTIVE DATE: Creation and Maintenance of Medicare Compliance Policies, 01/21/2013 Procedures and other Compliance Documents

Reason for Chanae Revision No. Date Updated as part of P&P regulatory update project; Suoersedes Policv 121

02/7/2014

01/21/2013 1.0

Annual review and undate 2/12/2015

2.0 Annual review and uodate 3.0

Review/Approval Date:

Signature Committee Co-Chairperson Aetna Pharmacy Management Quality Oversight committee (APMQOC)

_2/26/2015__________ Approval Date




aetna® Medicare


POLICY#: 202

Version#: 5.0


POLICY TITLE: Compliance Risk Assessment, Auditing, Monitoring and Issue Management Policy and Procedure

REVISION DATE: 2/12/2015

Last Modified By: Nancy Mundy

PREPARED BY: Christina F. Melton

PRODUCT: Medicare Advantage and PDP

MARKET: All

NEXT REVIEW DATE: 2/12/2016

PURPOSE

The purpose of this document is to implement the relevant provIsIons of 42 C.F.R. §§ 422.503(b)(4)(vi), and 423.504(b)(4)(vi), Chapter 9 of the Medicare Prescription Drug Benefit Manual, and Chapter 21 of the Medicare Managed Care Manual, which requires Part C and Part D sponsors to have an effective compliance program, including the implementation and operation of an effective system for routine monitoring and auditing, identifying compliance and Fraud, Waste, and Abuse (FWA) risks with prompt responses, as necessary, in order to protect the Medicare program.

POLICY

Aetna will comply with applicable federal standards regarding the establishment of its Medicare Compliance Plan and Work Plan. Aetna has established and maintains a process to audit and/or monitor its Medicare functions, including those performed by First Tier, Downstream and Related (FDR) entities, for compliance with Medicare regulatory and sub-regulatory guidance, contractual agreements including Aetna contracts with the Centers for Medicare & Medicaid Services (CMS), applicable federal and stale laws, and internal policies and procedures in order to identify potential or actual compliance and FWA risks with prompt responses to same, as well as to assess the overall effectiveness of the Medicare Compliance Program. Desk reference guides or other information may be in place to further define the procedural actions of each of the processes described in this policy.

In addition to the Medicare Compliance activities within this policy, the Internal Audit Department or other areas may conduct risk assessments and subsequently develop audit plans. These areas maintain their own policies and procedures associated with these processes. Medicare Compliance collaborates with these areas to leverage internal resources and enhance multi-disciplinary visibility.



COMP ,202 - Risk Assessment Auditing Monitoring and Issue Management Page 1 of 10

Medicare Compliance


POLICY#: 202

Version#: 5,0

POLICY TITLE: Medicare Compliance Risk Assessment, Auditing, Monitoring and Issue Management Polley and Procedure


PROCESSES

1. System to Identify Compliance Risks

Medicare Compliance, which may coordinate with Aetna's Internal Audit Department, Proactive Compliance Services or other areas, conducts an annual baseline risk assessment relating to Medicare compliance and FWA risk areas. Each business area is assessed and consideration may be given to size of the department, complexity of work, past compliance issues, degree of regulatory change, auditing and monitoring results, and areas of interest by regulators. This assessment is designed to review, rank risk through normative and empirical model, and prioritize the key regulatory risks for all Medicare business operations into a range of Risk Potential categories. The top Risk Potential scores are used to prioritize the development of the annual Medicare Compliance Work Plan (Work Plan). The Medicare Compliance Officer (MCO) is integral to this process, and the results of the risk assessment are reviewed with the Medicare Compliance Committee (MCC). See the supplementary Risk Assessment Desk Reference Guide.

Inclusive in the Work Plan is the completion of a First Tier Risk Assessment. The assessment' includes all First Tier entities servicing Aetna Medicare contracts and risk scores them by the type of function they perform and then by the entities themselves within the highest risk types. Entities within the highest risk types are the priority for the development of a list of targeted First Tier entities to be evaluated during the calendar year.

Medicare Compliance's risk assessments are re-evaluated at least semi-annually to account for significant changes to the regulatory environment and/or significant organizational or procedural changes, as well as to reevaluate the accuracy of the baseline assessment. In addition, off-cycle risks are addressed as they arise.

2. Annual Medicare Compliance Work Plan

A. Development: Using the results of the risk assessment, the Medicare Compliance Officer (MCO), with participation of the Medicare Compliance staff, will develop an annual Work Plan to capture the scheduled monitoring and auditing activities for the prioritized risk areas for the calendar year. The Work Plan will define the auditing and monitoring activities the objective, frequency, and timing of the activities for the relevant calendar year. Auditing and monitoring activities are assigned based on knowledge and expertise of the reviewers, as well as resource availability and timing needs. The Work Plan will define the process for responding to audit and/or monitoring results and conducting follow up reviews of areas found to be non-compliant to determine if the implemented corrective actions have fully addressed the underlying problems.



COMP 202 - Risk Assessment Auditing Monitoring and Issue Management Page 2 of 10

Medicare Compliance


POLICY TITLE: Medicare Compliance Risk Assessment, Auditing, Monitoring and Issue Management Policy and Procedure

POLICY#: Version#: 5.0202


In addition, the Work Plan contains the annual First Tier Risk Assessment and First Tier Audit Plan development, as well as defining the number of First Tier entities strategically selected for review (e.g., "60", "at least 60", etc.) and how they were selected (e.g., "based upon completion of a risk assessment", etc.). For FDRs, Aetna has implemented a multi-faceted auditing and monitoring program. Aetna maintains a risk-based, threeprong approach to oversee Aetna's FDRs which provides a comprehensive oversight strategy: Relationship Managers; specialized oversight units/practices; and Medicare Compliance. The associated business areas of these processes maintain their own policies and procedures (e.g., National Delegation Policy and Procedures 106 and 107, Information Privacy & Security assessment practices, Agent Oversight, etc.). Using the results of the Medicare Compliance First Tier Risk Assessment, Medicare Compliance annually completes a strategic selection of First Tier entities that fall within the highest risk types for development of an annual First Tier Audit Plan. Medicare Compliance collaborates with the Relationship Managers and other business partners for completion of these audits. A designated Medicare Compliance audit tool is used for these reviews and includes Compliance Program components such as the completion of the initial 90 day FWA training, monthly employee screening against the sanction and debarment lists, First Tier oversight of their Downstream entities, etc. See the supplementary Aetna FDR Program Description for additional details.· ·

B. Execution of the Work Plan: The audit methodology and scope of the Work Plan activities will include appropriate methods for selecting facilities, pharmacies, providers, claims, and other areas for audit, as applicable; determining appropriate sample sizes; extrapolation of audit findings in compliance with generally accepted auditing standards; application of targeted or stratified sampling methods; and the use of special targeted techniques based on aberrant behavior. Audits will include an assessment of compliance with Aetna's internal process and procedures. See supplementary Aetna Medicare Compliance Monitoring & Auditing Guide for additional details.

Audits are led by Aetna Medicare Compliance, a business function or another area that is responsible for monitoring and auditing Aetna's operational areas to ensure compliance with Medicare regulations and other applicable requirements. Where there is specific operational, clinical and/or compliance-related expertise that is required, the audit lead will solicit the assistance of other operational and clinical staff to assist in the review. When audit team proficiency cannot be achieved internally, the targeted audit will be outsourced to an external review organization for completion. In all cases, the audit lead is independent of the area/function being audited, allowing for an unbiased audit opinion.

The Work Plan is dynamic and may need to be modified as higher risks/priorities arise, however, any changes made to it must be approved by the MCO.




Medicare Compliance


POLICY#: 202

Version#: 5.0



C. Tracking & Reporting Results: The results of the Work Plan audits shall be reflected in standard audit reports that meet CMS requirements and include key stakeholders during distribution. The results of all Work Plan activities are regularly reported to the MCO, along with the status and effectiveness of any corrective actions.

Identified deficiencies are subject to the corrective action process described below and within the supplementary Aetna Medicare Compliance Monitoring & Auditing Guide.

Work Plan progress, including its subset First Tier Audit Plan, will be tracked by the MCO. The MCO or designee(s) provide updates on Work Plan, including any approved changes, to the MCC, and when appropriate to any of the following: the Aetna Chief Ethics and Compliance Officer, the Aetna Chief Executive Officer for Medicare, Aetna Senior Leadership, and Aetna's Board of Directors or subset. These reports may be in the form of an oral report, written report and/or dashboard view. See Policy and Procedure COMP203 - Medicare Compliance-Lines of Communication Policy and Procedure for additional details on communication with key constituents.

3. Audit of the Aetna Medicare Compliance Program

Aetna's Medicare Compliance Program and Medicare Compliance functions and activities will be audited by a third party to avoid self-policing. Results of the compliance program audits are shared with the Medicare Compliance Officer, the Chief Compliance Officer, the MCC, and members of senior leadership and the Aetna Board of Directors or Audit Committee of the Board of Directors, as applicable. Any identified deficiencies result in corrective actions for issue resolution.

4. OIG/GSA Exclusion and Debarment Screenings

Various business areas within Aetna (e.g., Human Resources, Credentialing, Broker Services, etc.) conduct the Office of Inspector General and General Services Administration sanction and debarment screenings. These areas maintain their own policies and procedures related to these processes. Any potential matches are investigated with appropriate actions taken. Medicare Compliance monitoring of these activities are subject to the annual Risk Assessment process.

In addition, Aetna's Medicare contracts with First Tier entities require that they perform the same pre-hire and monthly verifications against the same lists for all of their employees supporting Aetna's Medicare business. Attestations or other methods of verification may be implemented within the business to evaluate their compliance. otherwise, compliance is assessed for the First Tier entities that are selected for the annual First Tier Audit Plan. In the event that a First Tier entity is unable to evidence compliance with this requirement, corrective actions will be taken in accordance with contractual provisions.




Medicare Compliance

DEPARTMENT: POLICY#: Version#: Medicare Compliance 202 5.0

POLICY TITLE: EFFECTIVE DATE: Medicare Compliance Risk Assessment, Auditing, Monitoring 01/21/2013 and Issue Management Policy and Procedure

5. Aetna's Special Investigation Unit (SIU)

Aetna's SIU is responsible for the identification of potential FWA, timely initiation of investigations, and, where potential FWA is identified, reporting such to the National Benefit Integrity Medicare Drug Integrity Contractor (NBI MEDIC) and/or law enforcement as warranted. Medicare Compliance supports reporting of concerns to the SIU. See COMP203 - Medicare Compliance-Lines of Communications Policy and Procedure identifies the various methods available for reporting of FWA concerns to Medicare Compliance and the SIU. In addition, Medicare Compliance personnel and the MCO are accessible to the SIU personnel on an ongoing basis. The SIU interacts frequently with Medicare Compliance and presents monthly to the MCC regarding case file trends, emerging schemes, and case metrics. The SIU maintains an Aetna Health Care Anti-Fraud Plan and associated policies and procedures on these practices.

A. Data Analytics: Aetna's Special Investigation Unit (SIU) is responsible for performing certain data analytics as a means to prevent and identify potential FWA. The Aetna SIU employs multiple techniques to support our FWA data mining efforts. Both medical and pharmacy claims are scrutinized utilizing top down analysis tools, link analysis tools, as well as targeted ad hoc programming. A combination of rules based examinations and predictive analytics is executed on claims on a daily/weekly/monthly basis to generate leads. Both pre-payment and post-payment analytics are executed.

B. NBI MEDIC/Referrals to NBI MEDIC: Aetna's SIU coordinates and collaborates with the NBI MEDIC on potential FWA investigations. Specifically, if during the course of an investigation SIU identifies a case involving potential fraud or abuse meeting any of the below criteria, SIU will refer the case to the NBI MEDIC in accordance with the guidance for such submissions. (See SIU policy #001.)

• Suspected, detected or reported criminal, civil, or administrative law violations; • Allegations extending beyond Part C and D plans, involving multiple health plans

and states, or widespread schemes; • Allegations involving known patterns of fraud; • Patterns of fraud or abuse that threaten the life or well-being of beneficiaries; and • Schemes with large financial risk to the Medicare program or beneficiaries.

C. Responding to CMS-Issued Fraud Alerts: On occasion, CMS will issue Fraud Alerts via their HPMS notification System. Upon receipt of the Alert, Aetna Medicare Compliance will add the notification to the Alert distribution system, QuickBase, and distribute to all impacted parties (e.g., SIU) for processing under SIU policies (see SIU policy #032) and incorporation into their case tracking systems, as applicable.




Medicare Compliance



D. Providers with History of Complaints: SIU maintains case files for a period of ten (10) years in accordance with Aetna's record retention policy and procedure. See Aetna's Record Retention Policy.

At the launch of each investigation, the SIU assigned investigator is required to review case history to determine whether prior complaints were made, and the nature of any prior complaints. Completion of this activity, including results, is included in the case file.

6. Conducting a Timely and Reasonable Inquiry of Detected Offenses

A. Timeliness of Investigation: Aetna is committed to initiating meaningful investigations into potential compliance issues or suspected FWA in a timely manner. Three main systems receive and investigate these potential issues as described below.

1) Aetna Ethics Office: General compliance and ethics concerns are received through multiple reporting channels such as Aetna's Alertline® (a toll-free ethics hotline), ihe ·Alertline® website, the Aetna Compliance email box and a Post Office Box in West Hartford, CT. The Ethics Office follows Aetna's Compliance/Ethics Complaints and Concerns Handling Policy to ensure prompt and complete review and/or investigation of all compliance and ethics matters received by the Ethics Office through the various reporting channels at Aetna. Investigations are typically initiated within 2 bu_siness days (See Routine Investigations Manual Section 5.8). The TrakEnterprise database is used to record all compliance and ethics concerns received by the Ethics Office.

2) SIU: Potential FWA investigations are received by the SIU through a variety of available mechanisms and are initiated within 5 business days. In the event the SIU or MCO determines that Aetna does not have the time or resources to investigate an instance of potential fraud or abuse in a timely manner, the SIU will refer the matter to the NBI MEDIC within 30 days of the date the potential fraud or abuse was identified. (See SIU Policy #001.)

3) Aetna Medicare Compliance: Issues are received by, identified by, or directed to the Aetna Medicare Compliance team through a variety of available mechanisms (See COMP 203 - Medicare Compliance-Lines of Communications Policy and Procedure). Potential issues may originate from a variety of sources (e.g., selfevaluations, auditing, monitoring, regulatory inquiries, CTMs, CMS, employee referrals, etc.). Issues received by Aetna Medicare Compliance require initial investigation to be initiated no later than 2 weeks (14 calendar days) after the date that the potential issue was identified.




Medicare Compliance


POLICY#: 202

Version#: 5.0



B. Documentation: Case investigations are recorded in the manner and practice prescribed by the policies that are in place for each of the above systems. Compliance inquiries are welldocumented through Aetna Medicare Compliance procedures: 1) Upon identification of a potential issue, Medicare Compliance creates a "Potential

Issue" in the issue tracking database. The potential issue is assigned an Executive Owner, Business Owner and initial risk level.

2) The Business Owner and Executive Owner are engaged in the issue and are charged with launching an assessment of the issue, including root cause analysis, impact of the issue (number of members/ financial impact), and duration of the issue.

3) Medicare Compliance monitors the timely completion of issue analysis, and provides reports to the MCO and the MCC.

7. Corrective Actions

A. Corrective actions to address potential non-compliance or FWA are developed and implemented on a case-by-case basis. The MCO oversees all Corrective Action Plans (CAPs) along with his/her Medicare Compliance designee for each issue. Corrective actions will be designed to correct the underlying problem leading to the non-compliance and to prevent future non-compliance, and will include timeframes for specific achievements.

1) General Compliance and Ethics issues: In accordance with Aetna's Code of Conduct, and related Workplace Policies, corrective actions may include (i) employee discipline (e.g., coaching, written warnings, suspension and other actions up to and including employee termination), (ii) new and/or revised policies/procedures/workflows, and (iii) employee training.

2) Potential FWA issues are referred to CMS by the MCO or his/her designee and/or to the NBI MEDIC by SIU or another Aetna party, as necessary. Corrective actions may include overpayment recovery, payment suspension, Prescription Drug Event correction/deletion, and other actions up to and including provider termination.

3) Issues of non-compliance require remediation and resolution plans are reviewed by Aetna Medicare Compliance to determine the reasonableness of the plan of action to correct deficiencies. In addition, Aetna Medicare Compliance tracks the completion of the action plan to resolution.

4) Corrective actions to address non-compliance by an FDR are monitored by the appropriate oversight committee, as applicable. Each committee maintains their own supporting policies. Medicare Compliance sponsors a FDR Oversight Committee meeting that reviews high risk FDRs. In addition, FDRs may be presented to the MCC. See the Aetna FDR Program Description for additional details.




Medicare Compliance


POLICY#: 202

Version#: 5.0



B. Aetna Medicare Compliance Procedures

1) Proposed corrective actions are added to the Medicare Compliance Archer Issue Tracking Database.

2) Status meetings between the MCO and/or a Medicare Compliance designee and the Business Owner(s) occur to ensure positive progress on the corrective action plan.

3) Corrective actions must address the root causes of any deficiency to correct the underlying problem and prevent future reoccurrences. These may include interim and long term solutions.

4) Upon completion of corrective action plan implementation, Medicare Compliance will validate the effectiveness of the corrective actions such as through testing results, schedule a follow-up audit, or develop and implement ongoing monitoring activities.

5) Medicare Compliance maintains and/or has access to documentation of all deficiencies and corrective actions taken.

6) Routine reporting of the status/progress of CAPs are provided to the MCO and other governing· bodies (e.g., MCC, etc.) and when appropriate to any of the following: the Aetna Chief Ethics and Compliance Officer, the Aetna Chief Executive Officer for Medicare, Aetna Senior Leadership, and Aetna's Board of Directors or subset. These reports may be in the form of an oral report, written report and/or dashboard view.

See supplementary Aetna Medicare Compliance Monitoring & Auditing Guide for additional details.

8. Procedures for Self-Reporting Potential FWA and Significant Non Compliance

In the event that potential FWA is identified (including at the FDR level), Aetna promptly refers the issue to the National Benefit Integrity (NBI) MEDIC, in accordance with the guidance defined by the NBI MEDIC (see SIU's Aetna Health Care Anti-Fraud Plan and policy #001.).

In the event of an instance of significant non-compliance, Aetna's MCO or his/her designee will report such incident to CMS as soon as possible after discovery, in accordance with relevant requirements and guidance.

In certain situations, Aetna engages CMS in order to proactively report key information (e.g., upcoming provider terminations, changes to First Tier, Downstream, or Related Entity (FDR) contracts for key functions, etc.). Pharmacy Benefit Manager (PBM) changes which are reported to CMS at least 60 calendar days prior to the effective date of the PBM change. Other FDR changes are evaluated by the Medicare Compliance Officer for similar proactive




Medicare Compliance



reporting as terminated or newly acquired FDR contractual agreements are reported to Medicare Compliance by Aetna's business leadership.

9. Auditing by CMS or Its Deslgnee

In accordance with Aetna's contracts with CMS, Aetna provides access to any auditor acting on behalf of the federal government, including the Office of Inspector General {OIG) or CMS to conduct a desk review or an on-site audit. In addition, Aetna's contracts with First Tiers include provisions ensuring the external entity adheres to the same requirements. Responses to requests for information used for audit purposes, or those for information requested by the Medicare Drug Integrity Contractors (MEDIC), will be responded to within the timeframe required. In the event that additional time is needed, Aetna Medicare Compliance will communicate such needs directly with requester.

SOURCE(S) / REFERENCE:

Regulatory References: • 42 CFR 422.503, 42 CFR 423.504

· • Prescription Drug Benefit Manual, Chapter 9 • Medicare Managed Care Manual, Chapter 21

RELATED POLICIES AND PROCEDURES: Relevant policies include but are not limited to the following: COMP203 - Medicare Compliance-Lines of Communication Policy and Procedure National Delegation Policy and Procedure 106 National Delegation Policy and Procedure 107 Compliance/Ethics Complaints and Concerns Handling Policy Routine Investigations Manual Aetna Health Care Anti-Fraud Plan and associated policies and procedures (#001, #032, etc.) Aetna's Record Retention Policy Refer also to the supplementary guides referenced within the policy provisions.

REVIEW:

Accountable for Policy Maintenance: Nancy Mundy. Sr Director/Compliance/Meegan Johnson. Director, Compliance

Accountable for Im lementation: John Wells Medicare Com liance Officer

APPROVAL (SIGNATURE & DATE): Legal: __Nicole Cerquitella, Medicare Legal Counsel 2/12/2015 Com liance: John Wells Medicare Com liance Officer 2/18/2015



COMP 202 · Risk Assessment Auditing Monitoring and Issue Management Page 9 of 10

Medicare Compliance



REVIEW AND REVISION HISTORY· Reason for Chanae Date Revision No. Updated as part of P&P regulatory update project; Supersedes 1.001/21/2013

.Policv 114 7/01/2013 Defined MCO annroval of Chances to Comoliance Workolan 8/30/2013

2.0 Defined communication of workplan changes to Medicare Comoliance Committee

1/13/2014

3.0

Updated for the following reasons: 2014 Readiness Checklist item of proactive reporting of FDR changes; CMS audit CAP for FDR annual audit olan addition; and annual uodate.

2/12/2015

4.0

Annual review and update 5.0



_2126/2015__________ Approval Date




tna®Medicare

DEPARTMENT:. Medicare Compliance

POLICY#: COMP 203

Version#: 3.0


POLICY TITLE: Medicare Compliance - Lines of Communication Policy and Procedure

REVISION DATE: 2/12/2015 Last Modified By: Nancy Mundy



MARKET: All


PURPOSE

The purpose of this document is to implement the relevant provIsIons of 42 C.F.R. § 422.503(b)(4)(vi) and 423.504(b)(4)(vi) and Chapter 9 of the PDBM, and Chapter 21 of the MMCM, which requires sponsors to implement an effective compliance program, including procedures for effective lines of communication ensuring confidentiality between the Compliance Officer and the organization's employees, managers, governing body, members of the MCC, and FDRs.

POLICY

Aetna Medicare Compliance will comply with all applicable federal and state standards regarding the establishment of a compliance program. Specifically, Medicare Compliance will adhere to standards for effective lines of communication, ensuring confidentiality between the Medicare Compliance Officer (MCO), members of the MCC, Aetna's employees, managers and governing body, and Aetna's FDRs. Such lines of communication will be accessible to all, be user-friendly, and allow for anonymous and confidential good faith reporting of potential or actual compliance issues as well as suspected or actual violations relating to the Medicare program. In addition, Aetna has adopted a policy of non-intimidation and non-retaliation and enforces a no tolerance policy for retaliation or retribution for good faith reporting of compliance or FWA concerns.


CMS-Centers for Medicare & Medicaid Services FDR-First Tier, Downstream, and Related entity FWA-Fraud, Waste, and Abuse HPMS-Health Plan Management System MCC-Medicare Compliance Committee MCO-Medicare Compliance Officer MMCM-Medicare Managed Care Manual PDBM-Prescription Drug Benefit Manual SIU-Special Investigations Unit USPS-United States Postal Service



COMP-203 Medicare Compliance Lines of Communications Procedure Page 1 of 5

Medicare Compliance


POLICY#: COMP 203

Version#: 3.0

POLICY TITLE: Medicare Compliance • Lines of Communications Policy and Procedure


ATTACHMENTS

None

PROCEDURE

1. Communications from the Medicare Compliance Officer

A. The MCO will communicate key initiatives and changes, including new and revised policies and procedures and updates to the Medicare Compliance Plan, to Medicare supporting employees through various Medicare Compliance communications which may include any combination of the following: Medicare Compliance Regulatory Alerts, Medicare Compliance intranet site (i.e., AetNet), training programs, verbal and written communications, and telephonic announcements.

B. Aetna's AetNet includes information about the various methods available for reporting compliance issues and concerns (see Section 2. below), as well as for reporting potential FWA issues. In addition, the AetNet contains Aetna's MCO contact information (e.g., MCO name, office location, etc.) and the Medicare Compliance Policies and Procedures.

C. Medicare Compliance may periodically develop and post intranet-based communication tools (e.g., posters, newsletters, etc.) to be accessed by employees. Such tools include key reporting requirements and information about the various methods available for reporting.

D. Medicare Compliance will distribute statutory, regulatory and sub-regulatory changes (including HPMS Memos) through a distribution and tracking tool, QuickBase. Distribution lists are maintained on an ongoing basis, and are verified at least annually with Business Leads to ensure communications are accurately directed.

E. The MCO ensures the reporting of Medicare-related compliance issues on a regular basis to the MCC, Aetna Medicare senior management, Chief Ethics and Compliance Officer, the Board of Directors or the Audit Committee of the Board of Directors, as well as any accountable business leads as necessary.

2. Communicating with and Reporting to Medicare Compliance

As described in Aetna's Code of Conduct, employees, members of the Board of Directors, and FDR employees are required to report suspected or detected noncompliance, and potential FWA. To accommodate the various topics and to establish preferred communication methods, Aetna has developed various user-friendly and easy to access methods of reporting.

A. Aetna Medicare Compliance Reporting Mechanisms:




Medicare Compliance


POLICY TITLE: EFFECTIVE DATE: Medicare Compliance - Lines of Communications Policy and 01/21/2013 Procedure

1) Directly to the MCO: the name, office location, and contact information for Aetna's MCO is displayed on the Medicare Compliance AetNet Site. The annual Business Conduct & Integrity Training directs to this intranet information, as well.

2) Email correspondence to designated Medicare Compliance mailboxes: a. [email protected] b. [email protected]

4) Medicare Compliance phone line: 215-775-6801 (May leave a message or an anonymous message)

5) Medicare Compliance Subject Matter Experts: Medicare Compliance personnel are identified on the Medicare Compliance AetNet site for their subject matter expertise. Confidential e-mails or telephonic contacts may be directed to this staff. Additionally, reporting may occur during staff ongoing interactions with the associated business units as part of normal business operations.

B. Aetna has also established a toll-free hotline, the Alertline®, which is accessible to all parties 24 hours a day/7 days a week for reporting of potential compliance and ethics issues and/ or potential FW A. 1) Aetna's Alertline®, provides for anonymous and confidential reporting (to the

greatest extent possible). 2) At least quarterly, Corporate Compliance provides the MCO with a summary of all

Medicare related Alertline®, cases. These are reviewed, and monitored by Medicare Compliance. In the event that investigative actions are warranted, Medicare Compliance, as well as Corporate Compliance maintains an active oversight role.

3) Aetna's Alertline® contact information is displayed throughout the enterprise, as well as on the AetNet, in Aetna's Code of Conduct, and in Compliance Training modules. Alertline®,allows for three ways to anonymously report; telephonically, by writing to: Corporate Compliance, P.0. Box 370205, West Hartford, CT 06137-0205 or via the Alertline®, website at https://aetna.alertline.com.

C. Aetna's SIU has established various reporting mechanisms to ensure that potential FWA can be easily reported by employees, contingent workers, employees of FDRs, and members. Reporting can be initiated via an e.Service/ web-based form, e-mail or calling a hotline. Calls to the hotline are monitored regularly, and may be made anonymously.

D. Each of the reporting methods and Aetna's no-tolerance policy of intimidation and retaliation are publicized within Aetna through its intranet site and other modalities (e.g., compliance training, etc.). Employees who report potential Medicare Compliance issues, through the above resources, or by individual meetings, by phone or by email will be kept in confidence to the greatest extent possible.

3. Recording, Responding To, and Tracking Reports

A. Medicare Compliance will respond to, assess and investigate to the extent warranted, all compliance questions and reports of suspected or detected noncompliance or potential




http:https://aetna.alertline.commailto:[email protected]:[email protected]

Medicare Compliance



FWA. Appropriate actions will be taken in accordance with Medicare Compliance Policy 202 - Risk Assessment, Auditing and Monitoring, and Issue Management Policy and Procedure.

B. Medicare Compliance ensures the recording and tracking of reports of suspected or detected noncompliance or potential FWA which may be used to identify trends and potential systemic issues.

C. FWA case details are maintained in accordance with Aetna's Record Retention Policy and operationalized by Aetna's SIU.


42 CFR 422.503(b)(4)(vi)(D) 42 CFR 423.504(b)(4)(vi)(D) Prescription Drug Benefit Manual, Chapter 9 Medicare Managed Care Manual, Chapter 21 SIU's Aetna Health Care Anti-Fraud Plan and associated Policies and Procedures Aetna's Record Retention Policy Medicare Compliance Policy 202 - Risk Assessment, Auditing and Monitoring, and Issue Management Policy and Procedure

Desk Reference/Job Aides:

None

REVIEW:

Accountable for Policy Maintenance: Nancy Mundy. Sr Director. Compliance/Meegan Johnson. Director. Compliance

Accountable for Implementation: John Wells. Medicare Compliance Officer

APPROVAL:


Legal:: Nicole Cerquitella. Medicare Legal Counsel 2/12/2015

Compliance: John Wells, Medicare Compliance Officer 2/19/2015




Medicare Compliance



REVIEW AND REVISION HISTORY:

Date Revision No. Reason for Change 01/21/2013 1.0 Updated as part of P&P regulatory update project, Supersedes Policy

116 02/07/2014 2.0 Annual review and uodate 2/12/2015 3.0 Annual review and uodate



_2/26/2015.__________ Approval Date



COMP·203 Medicare Compliance Lines of Communications Procedure Page 5 of 5

aetna®Medicare


POLICY#: COMP 204

Version#: 3.0


POLICY TITLE: Medicare Compliance and Fraud, Waste, and Abuse Training Policy and Procedure

REVISION DATE: 2/12/2015 Last Modified By: Nancy Mundy



MARKET: All


PURPOSE

Pursuant to 42 C.F.R. §§ 422.503(b)(4)(vi), and 423.504(b)(4)(vi), Chapter 9 of the PDBM, and Chapter 21 of the MMCM Aetna, as a Medicare Advantage organization and Part D plan sponsor, is required to have an effective compliance program. The purpose of this document is to set forth Aetna's policy and procedures for facilitating compliance and FWA training and code of conduct distribution.

POLICY

Aetna Medicare Compliance will comply with all applicable federal and state standards regarding the establishment of a compliance plan. Specifically, Medicare Compliance will establish, implement and provide effective compliance and FWA training including code of conduct distribution to all Aetna Medicare supporting employees (including CEO, managers, etc.), governing bodies (e.g. Board of Directors), and FDRs. Aetna's training modules are reviewed and updated, as needed, at least annually, but more often if needed to reflect changes to related laws, regulations, policy, or guidance.


AHIP-America's Health Insurance Plans SCI-Business Conduct and Integrity CEO-Chief Executive Officer CMS-Centers for Medicare & Medicaid Services DMEPOS-Durable Medical Equipment, Prosthetics, Orthotics, and Suppliers FDR-First Tier, Downstream, and Related entities FWA-Fraud, Waste, and Abuse MLN-Medicare Learning Network MMCM-Medicare Managed Care Manual PDBM-Prescription Drug Benefit Manual TrOOP-True Out of Pocket Costs



COMP·204 Medicare Compliance and FWA Training Procedure Page 1 of 5

Medicare Compliance


POLICY TITLE: EFFECTIVE DATE: Medicare Compliance and Fraud, Waste, and Abuse Training 01/21/2013 Policy and Procedure

ATTACHMENTS None

PROCEDURE

1. Aetna Employees

A Aetna's employees are provided general compliance and FWA training through the Aetna BCI Training process. In addition, individuals who are employed by other legal entities may be classified as contingent workers who also receive Aetna BCI Training. Aetna's BCI training must be completed within 90 days of hire and annually thereafter.

B. The BCI Training is reviewed annually for update needs. Off-cycle updates will be made to address significant changes to laws, regulations, policy, and guidance, as needed.

C. The identification of employees supporting Aetna's Medicare products is made by Aetna Managers through the eService Contractual Identification tool at the time of hire and reviewed and updated periodically.

D. The BCI Training is delivered through the online Aetna Learning Center. Employees are instructed to complete the training initially upon hire and then annually through systemgenerated e-mail notifications (i.e., initial notices and then subsequent reminders). Aetna's Code of Conduct is part of the BCI Training program and includes the completion of an acknowledgment of receipt, review of, and compliance with the Code of Conduct in order to receive full credit for the BCI Training.

E. BCI training completion is monitored by the Ethics and Communications Unit of Compliance & Regulatory Affairs, as well as by Medicare Compliance. Disciplinary actions are taken, as needed, to enforce completion of this required training.

F. Training records are maintained for a period of no less than ten (10) years and will include time, attendance, topic, certificates of completion (if applicable), and test scores of any tests administered.

2. Aetna's Board of Directors

Aetna's Board of Directors must also complete general compliance and FWA training within 90 days of appointment and then annually thereafter. The training materials are supplied to the Corporate Secretary who delivers them together with an attestation to each Board member. Upon completion of the course, Medicare Compliance collects the completed attestations from the Corporate Secretary. The attestations include confirmation of Code of Conduct awareness, as well as any conflict of interest disclosures.

3. FDR Employees

A. In accordance with CMS requirements, Aetna requires FDR employees to complete compliance and FWA training within 90 days of hire or contracting and at least annually



COMP·204 Medicare Compliance and FWA Training Procedure Page 2 of 5

Medicare Compliance


POLICY#: COMP 204

Version#: 3.0



thereafter. Aetna provides training materials to FDRs for their use through various mechanisms such as the following: a. Aetna's FDRs are alerted of training needs through various notifications (e.g.,

Provider Communications team reminders, Provider Newsletters, FDR Compliance Newsletters, e-mail notifications, fax blasts, website/web portal postings, participation manuals, direct mail, unit specific announcements, etc.).

b. Training packets may be provided via email to certain FDR types such as Delegates and Suppliers.

c. Aetna maintains a web-based provider portal that contains a learning center for providers to complete Aetna-required training such as FWA training. FDRs who have met the FWA certification requirements through enrollment into Parts A or B or through accreditation as a DMEPOS are deemed to have met the training and education requirements for FWA. If a provider is not deemed, they are required to complete FWA training. The provider portal, AetnaEducation.com, offers the CMS MLN training, Medicare Parts C and D FWA Training and Medicare Parts C and D General Compliance Training. Once the CMS training is complete, providers are required to certify completion online.

d. Aetna's individual contracted sales agents are required to complete training as required by CMS. Aetna utilizes the AHIP process for their training completion. (See Broker Services for related policies.)

B. In order to minimize duplication of training for FDRs, Aetna encourages FDRs to complete CMS' Medicare Parts C & D FWA Training and General Compliance Training module in the MLN.

C. In addition, Aetna communicates general compliance information through the Aetna Code of Conduct dissemination to FDRs within 90 days of contracting, with updates as necessary, and annually thereafter.

D. In the event that FDRs do not have internet access, Aetna will provide a paper copy of the training and Aetna Code of Conduct, upon request.

E. FDRs are required to retain evidence of training completion (e.g., training logs, employee certifications, etc.) for a period of no less than ten (10) years, and to make this evidence available to Aetna and/or CMS, upon request.

F. FDRs are asked to complete and submit to Aetna an annual attestation to confirm training completion.

4. Medicare Enrollees

Aetna provides education to enrollees about the identification and reporting of FWA through various mechanisms such as website postings, etc ..

5. Specialized Medicare Compliance Training

A Additional, specialized, or refresher training may be delivered by either a business area, Medicare Compliance or both, depending on the training objective.



COMP-204 Medicare Compliance and FWA Training Procedure Page 3 of 5

http:AetnaEducation.com

Medicare Compliance


POLICY#: COMP 204

Version#: 3.0



B. Operational areas deliver new hire training, training when there are significant changes to procedures, or refresh training when there is an upcoming annual event (e.g., Annual Enrollment Period). Medicare Compliance may develop and deliver specialized focused training in the event that there are issues or trends that have been identified. Topics covered and required attendees will be defined on a case by case basis.

C. Examples of specialized training that may be developed include: • Handling Complaints, Grievances and Appeals • Marketing to Medicare beneficiaries. • Medicare Regulatory Guidance Distribution & Validation process • FDR Compliance Program Requirements


42 CFR 422.503(b}(4)(vi)(C & D)

42 CFR 423.504(b)(4)(vi)(C & D)

42 CFR 422.2274(b)

42 CFR 423.2274(b)

Prescription Drug Bene/if Manual, Chapter 9

Medicare Managed Care Manual, Chapter 21

Desk Reference/Job Aides: None

REVIEW:

Accountable for Policy Maintenance: Nancy Mundy, Sr Director, Compliance/Meegan Johnson, Director, Compliance

Accountable for Implementation: John Wells, Medicare Compliance Officer

APPROVAL:


Legal: Nicole Cerquitella, Medicare Legal Counsel 2/13/2015 Compliance: John Wells, Medicare Compliance Officer 2/19/2015




Medicare Compliance



POLICY#: COMP 204

Version#: 3.0


REVIEW AND REVISION HISTORY· Date Revision No. Reason for Chanae 01/21/2013 1.0 Updated as part of P&P regulatory update project;

Sunersedes Policv 114 02/7/2014 2.0 Updated to include BCI Training usage; annual review and

undate 2/12/2015 3.0 Annual review and uodate



_2/26/2015.__________ Approval Date




Structure BookmarksFigure:;::::::::t;,4 ,, r"",:;;rr-__.JmE"·"" Fffrbtrum! .. , ( \ f1 ,,1!11!(!iii'U:i:>-,' I l Developed by the Centers for Medicare & Medicaid Services Issued: February, 2013 FigureFigureFigureDon't have training in place? Already have your own training In place? Proof of training completion Don't have your own code? Medicare compliance department policies Share our Code and policies Where is the OIG? Where is the GSA/SAM? How do I report noncompliance or potential fraud, waste, and abuse (FWA) to Aetna? No need to develop your own.